Booz Allen Hamilton urges supply chain cyberattacks rethink

A robotics expert with consultancy firm Booz Allen Hamilton (BAH) has sounded the alarm over the dangers to global supply chains posed by social engineering.

Dr Sean Anthony Guillory, a Senior Robotics Process Automation Bot Developer says too much talk around supply chain cybersecurity is focused on hardware and technology.

“Cybersecurity discussions often focus on data, digital infrastructure, and physical systems rather than people,” he writes in a BAH blogpost, How social engineering threatens supply chains. “But the human element is key when modelling cyber threats to supply chains.”

It is humans, he says, on whom all supply chains depend. 

“It is humans who plan, gather supplies, manufacture, deliver and enable sales,” he writes. “And it is humans who are responsible for all the communications and logistics in between.” 

Dr Guillory points out  this is why cyber criminals target people as a way  of hacking into supply chain systems. 

“In some supply chain attacks, influencing humans is the end goal, and this is why cyber leadership needs to prepare for this kind of threat.”

The term social engineering describes a broad range of malicious activities based on human interaction. Typically, cyber criminals use psychological manipulation to trick users into making security mistakes, or giving away sensitive information.

Social engineering first came to the fore in the 1980s, when the world’s most infamous hacker, Kevin Mitnick used the practice to hack North American Defense Command, an event that inspired the movie War Games.  

Six forms of social engineering attacks

Mitnik, now a cyber security consultant, lists six classes of social engineering attack:

Phishing  A technique in which the hacker sends fraudulent emails, claiming to be from a reputable and trusted source, such as a bank, with the aim being to steal private data. 

Vishing and smishing  Similar to phishing, but using phone calls and text messages as the modes of deception. Vishing is short for voice phishing and Smishing is short for SMS phishing. 

Pretexting  A type of social engineering whereby the hacker creates a scenario where the victim feels compelled to comply under false pretences. The hacker will impersonate a high-level employee of an  organisation that typically holds personal data, such as a bank, a credit card firm or a utility company.

Baiting  This technique lures the victim to share personal or corporate data with a bait, such as the promise of a gift card. Hackers also target industry conferences and events, where they will hand out free USB drives. The victim believes they are getting a free storage device, but the hacker will have loaded it with remote-access malware that infects the computer when plugged in. 

Tailgating and piggybacking  Tailgating is where a hacker gains physical access into a building by slipping through a door or access point behind an authorised employee. Piggybacking is where an authorised employee allows the hacker to ‘piggyback’ off their credentials. Typically, the hacker will manipulate the victim into complying by carrying a heavy object, and asking the staff member to ‘swipe me through’.

Quid Pro Quo  Quid pro quo This is Latin for 'something for something', and involves the attacker attempting a trade-of-service for information. This might involve the hacker calling the main line of a company pretending to be from the IT department, and claiming they are trying to reach someone who has a technical issue. 

Once the attacker finds a user who has technical issues, they promise to fix the problem, and casually ask for login details to make good on this promise. 

Rethink approach to social engineering security

Dr Guillory urges organisations to rethink how they categorise social engineering attacks so that they are better prepared to protect themselves.

“Often businesses focus on the means attackers use to trick victims, such as phishing, vishing, and technical support scams,” he says. “But simply labelling a threat does not speak to the adversary’s objective.” 

Not all such attacks are about gaining access, information, or money, Dr Guillory says, adding that organisations should consider the end goal of the attacker.

Dr Guillory feels businesses should categorise social engineering attacks as being either:

• Human-to-information (H2I) attacks, which target humans as a means to steal data.
• ‘Information-to-human’ (I2H) attacks, which use misinformation (misleading) or disinformation (false) to influence people’s behaviour.

“Both H2I and I2H attacks involve social engineering, but cybersecurity professionals tend to focus on H2I,” says Dr Guillory. 

He adds: “The most common H2I attacks on supply chains include email spoofing and vendor email compromise, which are usually aimed at supply chain managers to gain access to contact and financial information for different partner companies.” 

Dr Guillory also encourages organisations to remember that all forms of  social engineering attack “have a corrosive effect on trust”. 

He adds: “There can be a tendency to blame victims of social engineering schemes in a way that might not happen when a company is attacked. 

“Trust is the glue binding all relationships in business, society, and democracy, and hackers know this. 

“As geopolitical tensions continue to rise, organisations should expect advanced threat actors to increasingly target trust through cyber, soft power, and other non-kinetic means.”